Preventing Lateral Propagation of Ransomware using a Security Appliance That Dynamically Inserts a DHCP Server/Relay and a Default Gateway with Point-to-Point Links Between Endpoints

1. A computer-implemented method of ransomware protection in a Virtual Local Area Network (VLAN), comprising: using a Dynamic Host Configuration Protocol (DHCP) server associated with a firewall or a router/switch in a shared VLAN environment having a plurality of endpoint devices; detecting ransomware in a shared VLAN environment; utilizing a DHCP server functionality of a security appliance to assign, by the security appliance, a subnet mask of 255.255.255.255 in response to DHCP IP address requests from the plurality of endpoint devices to set the security appliance as a default gateway for the plurality of endpoint devices of the shared VLAN environment; monitoring, by the security appliance, intra-VLAN communication between the plurality of endpoint devices of the shared VLAN environment; and blocking, by the security appliance, lateral propagation of ransomware between endpoint devices via intra-VLAN communication in the shared VLAN environment.

2. The computer-implemented method of claim 1 , wherein detecting ransomware in the shared VLAN environment comprises deploying the security appliance in a tap or span port, monitoring a copy of network traffic, and detecting ransomware in the copy of the network traffic.

3. The computer implemented method of claim 2 further comprising quiescing the DHCP server subsequent to the detecting of ransomware in the shared VLAN environment.

4. The computer implemented method of claim 1 , wherein the security appliance inserts itself as a DHCP relay in response to the detecting of ransomware.

5. The computer-implemented method of claim 1 , wherein the blocking comprises blocking intra-VLAN communication of the compromised endpoint device.

6. The computer-implemented method of claim 1 , wherein the monitoring comprises detecting a message attribute of a message originating from an endpoint device indicative of ransomware.

7. The computer-implemented method of claim 6 , wherein the message attribute comprises file scanning code or file encryption code.

8. The computer-implemented method of claim 1 , wherein the monitoring comprises detecting an attribute of message traffic, relative to a baseline profile of message traffic, indicative of an attempt to laterally propagate ransomware.

9. The computer-implemented method of claim 1 , wherein the monitoring comprises: monitoring a response message from a first endpoint device to a second endpoint device not having a corresponding request message from the second endpoint device pass through the security appliance.

10. A computer-implemented method of ransomware protection in a Virtual Local Area Network (VLAN), comprising: monitoring, a copy of intra-VLAN message traffic in a shared VLAN environment having a plurality of endpoint device appliances; in response to an initial detection of ransomware in the copy of the message traffic, quiescing a primary Dynamic Host Configuration Protocol (DHCP) server associated with the shared VLAN environment and deploying a substitute DHCP server functionality associated with a security appliance; assigning, by the security appliance, a subnet mask of 255.255.255.255 to each endpoint device to set the security appliance as a default gateway for the plurality of endpoint devices of the shared VLAN environment; detecting, by the security appliance, attributes of intra-LAN messages indicative of attempted lateral propagation of ransomware from endpoint devices assigned the 255.255.255.255 subnet mask; and quarantining an endpoint device compromised by ransomware by blocking attempted intra-VLAN communication of the compromised endpoint device.

11. The computer-implemented method of claim 10 , wherein the detecting comprises detecting message attributes associated with file scanning code or file encryption code.

12. The computer-implemented method of claim 10 , wherein the detecting comprises detecting an attribute of message traffic, relative to a baseline profile of message traffic, indicative of an attempt to laterally propagate ransomware.

13. The computer-implemented method of claim 10 wherein the detecting comprises: detecting a response message from a first endpoint device to a second endpoint device not having a corresponding request message from the second endpoint device pass through the security appliance.

14. The computer implemented method of claim 10 wherein the initial detection of ransomware comprises: inspecting, by the security appliance, a copy of the message traffic of the shared VLAN environment and performing deep packet inspection (DPI).

15. The computer implemented method of claim 10 , wherein the security appliance is communicatively coupled to a tap port or a span port of a router/switch of the shared VLAN network environment and the security appliance.

16. The computer implemented method of claim 10 , where a DHCP lease interval of the plurality of endpoint devices is set to be less than 24 hours.

17. An apparatus to provide ransomware protection in a Virtual Local Area Network (VLAN), comprising: a security appliance having a Dynamic Host Configuration Protocol (DHCP) server functionality, the security appliance having a first mode of operation in which the DHCP server functionality is inactive and a second mode of operation in which the DHCP server functionality is active, the security appliance being further configured to: transition from the first mode of operation to the second mode of operation in response to an initial detection of ransomware in a shared VLAN network environment; respond to DHCP requests of endpoint devices by overwriting the subnet mask 255.255.255.255 to set the security appliance as a default gateway for a plurality of endpoint devices of a shared VLAN environment: monitor, by the security appliance, intra-VLAN communication between the plurality of endpoint devices of the shared VLAN environment; and detect, by the security appliance, lateral propagation of ransomware between endpoint devices via intra-VLAN communication in the shared VLAN environment; and block lateral propagation of ransomware among endpoint devices.

18. The apparatus of claim 17 , wherein the security appliance is configured to quarantine an endpoint device compromised by ransomware by blocking intra-VLAN communication of the compromised endpoint device.

19. The apparatus of claim 17 , wherein the security appliance instructs a DHCP server of the shared VLAN network to enter a quiescent state in response to the initial detection of ransomware in a shared VLAN network environment.

20. The apparatus of claim 17 , further comprising a process and a memory, wherein the security appliance is implemented as computer program instructions stored on the memory and executable on the processor.

21. The apparatus of claim 20 , wherein the security appliance is deployed on a tap or span port of a network router/switch and the security appliance, in the first mode, inspects copies of message traffic in the shared VLAN environment and performs the initial detection of ransomware.

22. The apparatus of claim 20 , wherein the security appliance is deployed as a DHCP relay and in the first mode acts as a DHCP relay and in the second mode acts as the DHCP server for the shared VLAN network.

23. The apparatus of claim 20 , wherein the security appliance responds to an IP address request of an endpoint device by relaying the request to the original DHCP function and overwriting the DHCP response with the subnet mask of 255.255.255.255 and setting itself as the default gateway for the endpoint device.

24. A computer-implemented method of ransomware protection in a Virtual Local Area Network (VLAN), comprising: in a first mode of operation, using a Dynamic Host Configuration Protocol (DHCP) server in a shared VLAN environment having a plurality of endpoint devices; detecting ransomware in a shared VLAN environment; inserting a security appliance as a DHCP relay in response to the detecting of ransomware, including using a DHCP server functionality of the security appliance to assign, by the security appliance, a subnet mask of 255.255.255.255 in response to DHCP IP address requests from endpoint devices to set the security appliance as a default gateway for the plurality of endpoint devices of the shared VLAN environment; monitoring, by the security appliance, intra-VLAN communication between the plurality of endpoint devices of the shared VLAN environment; and blocking, by the security appliance, lateral propagation of ransomware between endpoint devices via intra-VLAN communication in the shared VLAN environment.